github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-30 16:42:14 +00:00
Code Issues Projects Releases Wiki Activity

fix(userspace/falco): print right list in ignored events warning

Browse Source 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce 2022-10-11 14:41:13 +00:00 committed by poiana
parent 48fbe0801d
commit a4218a4b4f
1 changed files with 7 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
userspace/falco/app_actions/load_rules_files.cpp
View File

@ -17,6 +17,8 @@ limitations under the License.
#include "application.h" #include "application.h"
#include <plugin_manager.h> #include <plugin_manager.h>
#include <unordered_set>
using namespace falco::app; using namespace falco::app;
bool application::check_rules_plugin_requirements(std::string& err) bool application::check_rules_plugin_requirements(std::string& err)
@ -43,52 +45,20 @@ void application::check_for_ignored_events()
/* Get the events we consider interesting from the application state `ppm_sc` codes. */ /* Get the events we consider interesting from the application state `ppm_sc` codes. */
std::unique_ptr<sinsp> inspector(new sinsp()); std::unique_ptr<sinsp> inspector(new sinsp());
auto interesting_events = inspector->get_event_set_from_ppm_sc_set(m_state->ppm_sc_of_interest); std::unordered_set<uint32_t> events(rule_events.begin(), rule_events.end());
std::unordered_set<uint32_t> ignored_events;
for(const auto& it : rule_events) auto event_names = inspector->get_events_names(events);
for (const auto& n : inspector->get_events_names(m_state->ppm_event_info_of_interest))
{ {
/* If we have the old version of the event we will have also the recent one event_names.erase(n);
* so we can avoid analyzing the presence of old events.
*/
if(sinsp::is_old_version_event(it))
{
continue;
}
/* Here we are interested only in syscall events the internal events are not
* altered without the `-A` flag.
*
* TODO: We could consider also the tracepoint events here but right now we don't have
* the support from the libraries.
*/
if(!sinsp::is_syscall_event(it))
{
continue;
}
/* If the event is not generated by the running system we don't print
* any warning right now.
*/
if(!sinsp::is_generable_event(it))
{
continue;
}
/* If the event is not in this set it is not considered by Falco. */
if(interesting_events.find(it) == interesting_events.end())
{
ignored_events.insert(it);
}
} }
if(ignored_events.empty()) if(event_names.empty())
{ {
return; return;
} }
/* Get the names of the ignored events and print them. */ /* Get the names of the ignored events and print them. */
auto event_names = inspector->get_events_names(ignored_events);
std::cerr << std::endl << "Rules match ignored syscall: warning (ignored-evttype):" << std::endl; std::cerr << std::endl << "Rules match ignored syscall: warning (ignored-evttype):" << std::endl;
std::cerr << "Loaded rules match the following events:" << std::endl; std::cerr << "Loaded rules match the following events:" << std::endl;
for(const auto& it : event_names) for(const auto& it : event_names)